Fix: CORS headers missing on photo static files #207

New issue

Closed

opened 2026-03-28 16:59:08 +00:00 by forgejo_admin · 0 comments

forgejo_admin commented

2026-03-28 16:59:08 +00:00

Owner

Type

Feature

Lineage

Discovered during girls roster validation 2026-03-28. Marcus's iPhone getting ERR_BLOCKED_BY_ORB and ERR_NETWORK_CHANGED on player photos. Related to westside-app#129.

Repo

forgejo_admin/basketball-api

User Story

As an admin, I want to assign players to teams via draft board so that placement is transparent and trackable (WS-S6).

Context

Player photos are served from basketball-api.tail5b443a.ts.net/uploads/photos/ via FastAPI StaticFiles mount. The westside-app loads these cross-origin from westsidekingsandqueens.tail5b443a.ts.net. The CORS middleware on the FastAPI app does NOT apply to mounted sub-applications (StaticFiles). Chrome blocks the responses with ORB (Cross-Origin Read Blocking), causing perpetual loading on the draft board.

File Targets

Files the agent should modify:

src/basketball_api/main.py -- move StaticFiles mount out of lifespan, or replace with a custom route that serves files with CORS headers

Files the agent should NOT touch:

No other files needed

Acceptance Criteria

curl -I https://basketball-api.tail5b443a.ts.net/uploads/photos/ANY.jpeg includes Access-Control-Allow-Origin header
Draft board photos load without ORB errors on cross-origin requests
Existing photo upload flow unaffected

Test Expectations

pytest tests/ passes
Manual curl verification of CORS headers on photo responses
Run command: pytest tests/ -x

Constraints

FastAPI StaticFiles sub-apps don't inherit parent CORS middleware
Fix must apply CORS to the /uploads/photos path specifically
Do not break existing photo upload endpoints

Checklist

PR opened
Tests pass
No unrelated changes

project-westside-basketball -- project this affects
westside-app#129 -- parent validation ticket
basketball-api#205 -- related data cleanup

### Type Feature ### Lineage Discovered during girls roster validation 2026-03-28. Marcus's iPhone getting ERR_BLOCKED_BY_ORB and ERR_NETWORK_CHANGED on player photos. Related to westside-app#129. ### Repo `forgejo_admin/basketball-api` ### User Story As an admin, I want to assign players to teams via draft board so that placement is transparent and trackable (WS-S6). ### Context Player photos are served from `basketball-api.tail5b443a.ts.net/uploads/photos/` via FastAPI StaticFiles mount. The westside-app loads these cross-origin from `westsidekingsandqueens.tail5b443a.ts.net`. The CORS middleware on the FastAPI app does NOT apply to mounted sub-applications (StaticFiles). Chrome blocks the responses with ORB (Cross-Origin Read Blocking), causing perpetual loading on the draft board. ### File Targets Files the agent should modify: - `src/basketball_api/main.py` -- move StaticFiles mount out of lifespan, or replace with a custom route that serves files with CORS headers Files the agent should NOT touch: - No other files needed ### Acceptance Criteria - [ ] `curl -I https://basketball-api.tail5b443a.ts.net/uploads/photos/ANY.jpeg` includes `Access-Control-Allow-Origin` header - [ ] Draft board photos load without ORB errors on cross-origin requests - [ ] Existing photo upload flow unaffected ### Test Expectations - [ ] `pytest tests/` passes - [ ] Manual curl verification of CORS headers on photo responses - Run command: `pytest tests/ -x` ### Constraints - FastAPI StaticFiles sub-apps don't inherit parent CORS middleware - Fix must apply CORS to the /uploads/photos path specifically - Do not break existing photo upload endpoints ### Checklist - [ ] PR opened - [ ] Tests pass - [ ] No unrelated changes ### Related - `project-westside-basketball` -- project this affects - `westside-app#129` -- parent validation ticket - `basketball-api#205` -- related data cleanup